The Final CCPA Amendments Are In

The Final CCPA Amendments Are In.  What They Mean To You.

On Friday, October 11, California Governor Gavin Newsom signed into law several bills passed by the California legislature that address data protection.  Most address the California Consumer Privacy Act of 2018 (the CCPA or Act).  Overall, the substance and strength of the Act remains the same but there are some additions and caveats that merit review by data protection professionals.  This post summarizes them.

Executive Summary of CCPA Amendments

CCPA AmendmentSummary
A.B. 1202. Data brokersData brokers must now register with the California Attorney General’s office.
A.B. 25. CCPA amendmentOne-year exemption for “employee” data.
A.B. 874. CCPA amendmentAdds “reasonably” to the definition of “personal information.”
A.B. 1355. CCPA amendmentOne-year exemption for “business-to-business” data; numerous drafting errors corrected.
A.B. 1146. CCPA amendmentExemption for certain information related to motor vehicle repairs and recalls.
A.B. 1130. Breach notificationAdds new types of personal data subject to the state breach notification statute.

CCPA Amendments and Related Legislation – Analysis

None of the CCPA amendments (or related legislation) vitiate the substance and strength of the Act, something feared by data protection advocates.  For the most part, the changes represented clarifications or the resolution of drafting errors.  According to the authors of the original CCPA ballot initiative, the Act was designed to be consumer centric and didn’t contemplate employee data.  However, employee personal data (which includes contractors and others) is protected from an HR data perspective, albeit not until January 1, 2021.  Also for employees, their business communications in the context of conducting business due diligence is similarly protected, and also with a January 1, 2021 start date.  The promulgation of a data broker registration law means that two U.S. states (Vermont being the first) now regulate data brokers.  Vermont’s law, passed in 2018, helped uncover many companies involved in data brokering, an industry that previously was not well known to the public.  California’s approach to data brokers is similar and will almost certainly expand this awareness.  One noteworthy amendment to the Act is the addition of “reasonably” to the definition of personal data:

1798.140(o)(1) “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

However, the existing “reasonably” (“or could reasonably be linked, directly or indirectly”) is likely already adequate to transform a data element into a personal one, given how easy it is for an element to be indirectly linked with a particular consumer or household.  Finally, the expansion of data elements considered personal under California’s breach notification law (including a passport number, military ID, or unique biometric identifier) has some potential for increased breach-related litigation.  Companies that process such information will likely wish to review their data inventories for needed updates. 

Summary of CCPA Amendments and Related Legislation

The following represents a summary of the amendments to the CCPA as well as related legislation signed into law just prior to the end of California’s legislative session.  The CCPA is very complex, however, and companies are advised to consult their legal counsel for compliance specifics.

Bill No.ChangeAnalysis
A.B. 1202

Data brokers must now register with the California Attorney General’s office. “Data broker” is a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.

Roughly equivalent to the Vermont data broker registration law.

A.B. 25
  • Exemption for “employee” data until Jan. 1, 2021. Included in this is “information collected from a natural person by a business in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business.”
  • These individuals must still be informed of the categories of personal information to be collected and the purposes for which those categories shall be used by the business. They also retain their right to bring a private action for a data breach under §150.

Given that this law was consumer centric as originally conceived, applicability to employees in any context is arguably a significant change.

Bill No.ChangeAnalysis
A.B. 784

Definition of “personal information” now has the word “reasonably” in front of it, as in: 1798.140(o)(1) “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

It’s unclear how much this change will benefit the defendants in breach litigation, given that “indirectly” is not a tough hurdle to clear.

A.B. 784

Any information that is lawfully made available from federal, state, or local government records is now “publicly available” and not “personal information,” and does not require a “purpose” analysis.

Addresses the problem of original bill text, which required determining whether public data is being used for a purpose outside its originally intended purpose.

Bill No.ChangeAnalysis
A.B. 1355
  • Exempts data that is “deidentified” and “aggregate” data, because neither qualifies as “personal information” under the CCPA’s definition.
  • Prohibit a business from discriminating against the consumer for exercising any of the consumer’s rights under the act, except if the differential treatment is reasonably related to value provided to the business by the consumer’s data. Clarifies “that a consumer has the right to request the” specific pieces of personal information the business has collected about that consumer.
  • Clarifies that a business is not required to “collect personal information that it would not otherwise collect in the ordinary course of its business, retain personal information for longer than it would otherwise retain such information in the ordinary course of its business.”
  • Clarifies and (arguably) broadens the inapplicability of the CCPA to personal information collected pursuant to the Fair Credit Reporting Act (FCRA).

Sometimes referred to as a “clean up” bill, because it fixed several drafting errors.

A.B. 1355

Provides a “business-to-business” exemption, which only lasts one year. Essentially, applies to employees that are conducting due diligence regarding a product or a service from another entity. However, the “do not sell,” the non-discrimination, and the private right of action (in the event of a breach) provisions still apply.

The “business-to-business” (or B2B) application of the CCPA is similar to how the GDPR approaches personal data gathered in business contexts. The 1-year exemption period was likely developed to lessen the burden on so-called MarTech companies (e.g., Salesforce.com, Marketo, Eloqua, etc.).

A.B. 1355

Provides for the California Attorney General “to establish rules and procedures on how to process and comply with verifiable consumer requests for specific pieces of personal information relating to a household in order to address obstacles to implementation and privacy concerns.”

The driver behind adding/ clarifying the creation of rules by the California Attorney General regarding the verification needed for revealing “household” personal information is the potential for abuse (such as in divorce proceedings).

Bill No.ChangeChange
A.B. 1146

Provides an exception to the right to opt out vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the information is shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall.

Arguably, §1798.105(d)(1), (7), and/or (9) of the Act already imply such an exception.

A.B. 1146

Provides an exception to the right to request a business to delete personal information about the consumer if the personal information is necessary to fulfill the terms of a written warranty or product recall conducted in accordance with federal law.

Arguably, §1798.145(a) of the Act obviates the need for this exception.

Bill No.ChangeAnalysis
A.B. 1130

Adds the following to the definition of “personal information” for breach reporting purposes:

  • Unique biometric data
  • Tax identification numbers
  • Passport numbers
  • Military identification numbers
  • Unique identification numbers issued on a government document (in addition to those for driver’s licenses and California identification cards)

These changes apply to California government agencies and businesses.

Expands the type of personal information that implicates breach reporting and, consequently, the opportunities for class-action litigation related to a breach.